Data breaches are a constant in today’s headlines, but in recent years the risk has been front and centre of some of the most significant M&A deals, writes Jake Olcott. In 2017, Verizon discounted its acquisition price by $350 million when Yahoo belatedly disclosed that it experienced several massive breaches. Then, in November last year, Marriott International publicly disclosed that Starwood’s guest reservation database – containing hundreds of millions of personal records – had been compromised since 2014 prior to the Marriott acquisition.
These incidents – along with countless others – raise critical questions. For example, how should Boards be thinking about cyber risk in the acquisition process? What steps should they take to address this risk prior to an acquisition?
First, Boards must understand that cyber risk can have a significant impact not only on the valuation of a deal, but also on future legal liability associated with the transaction. From a Board’s perspective, the fall-out from the Yahoo breach is significant: multiple securities class action lawsuits, D&O suits and recommendations for Board removal. Arguably, the Board’s responsibility in overseeing cyber risk management has never been more crucial.
Proper due diligence
How can organisations conduct proper due diligence into a potential acquisition target? In some circumstances, there may be a public record of an organisation’s cyber security posture. Organisations may have disclosed security incidents or issues due to their obligations in front of regulators. These disclosures may provide clues and insight for an acquiring organisation about the security posture of the target.
That said, public disclosure is unreliable. Organisations are disincentivised to disclose because it may negatively impact market value. Acquisition targets know that security issues can negatively impact their valuation. In fact, a 2016 survey by Brunswick found that half of all respondents said they would trim their valuation in situations where the target company had been breached whether the breach was discovered before, during or after the merger.
Acquirers will often try to send their cyber security/information security teams to the target in order to gain deeper perspectives on site about the risks and issues that may arise post-acquisition. This is important to properly account for any security ‘fixes’ your organisation will have to implement in order to bring the target up to your standards. However, this too comes with challenges. The tools that are available to an acquirer’s cyber team include questionnaires and penetration tests. Even if the target agrees, these methods are both time-consuming and reflect only a ‘snapshot in time’ view that doesn’t necessarily take any account of historical performance.
Challenges around market transparency
How can these challenges around market transparency be addressed in the real world, then? Investors are finding that Security Ratings can offer significant insight into a target’s cyber security posture and address the information asymmetry challenge. Similar to the way in which a credit rating provides unique insight into the transactional history of a consumer, Security Ratings providers continuously collect data in an automated, non-intrusive fashion in order to generate a data-driven and objective rating of security performance. Broad and deep data sets are available that highlight security performance and Best Practices, giving unique insight into what has – or has not – been managed efficiently over time.
Armed with this data, information security teams can then drill down deeper into the security details of an acquisition. Valuation teams can consider more deeply some of the risks that were previously opaque.
It’s never been more important to consider cyber risk in your investments. The cyber risk that a given company presents has been an often-overlooked element during the M&A process, but it doesn’t need to be that way. Asking the right questions – and acquiring the right data – can go a long way towards reducing the financial risk in a transaction. Board members should never hesitate to raise this issue with management during acquisition meetings.
Jake Olcott is Vice-President of Government Affairs at BitSight